CISA Certified Information Systems Auditor Questions and Answers

Data modeling

Data purging

Data visualization

Data mining

Incident management

Demand management

Release management

Configuration management

perform an inventory of assets.

implement data loss prevention controls.

interview IT senior management.

implement monitoring, controls

Evaluation criteria when finalized after the initial assessment of responses

Staff involved in the evaluation were aware of the vendors being evaluated.

Independent consultants prepared the request for proposal (RFP) documents.

The closing date for responses was extended after a request from potential vendors.

Prevention

Inherent

Detection

Control

Before the risk appetite Is established

After compensating have been applied

After internal controls are taken into account.

Before internal controls are taken into account.

Authentication users before conversation are initiated.

Using firewall to limit network traffic to authorized ports.

Logging conversation.

Using call monitoring.

Determine if the laptop had the appropriate level of encryption

Verify the organization's incident reporting policy was followed

Ensure that the appropriate authorities have been notified

Review the photos to determine whether they were for business or personal purposes

with the most ineffective controls.

with the greatest number of threats.

considered critical to business operations.

considered important by IT management

Emergency power-off switch

Stand-by generator

Redundant power supply

Uninterruptible power supply (UPS)

The organization may be more susceptible to cyber-attacks.

The organization may not be in compliance with licensing agreement.

System functionality may not meet business requirements.

The system may have version control issues.

Recommend the service provider update their policy

Report the risk to internal management

Notify the service provider of the discrepancies.

Recommend replacement of the service provider

Critical path analysis

Workforce estimate

GANT chart

Scheduling budget

provide control over program changes

limit access rights of IS staff to the development environment.

provide the basis for efficient system change management

achieve segregation of duties between IS staff and end users

Conduct a surprise audit to determine whether remediation is in progress

Schedule a follow-up audit for two weeks after the initial audit was completed

Conduct a follow-up audit when findings escalate to incidents

Schedule a follow-up audit based on remediation due dates.

Provide data on efficient disk usage.

Deny access to disk resident data files.

Monitor disk accesses for analytical review

Provide the method of control for disk usage

IT projects are delivered on time and under budget

Management is aware of IT-related risks.

Employees understand roles and responsibilities

Reporting and metrics become higher priority.

Upgrade hardware to newer technology.

Increase the capacity of existing systems.

Build a virtual environment

Hire temporary contract workers for the IT function.

Understanding the business environment

Understanding the control framework

Adopting qualitative risk analysis

Developing a comprehensive risk model

Reporting metrics are established.

An education campaign is established upon rollout.

The standards comply with relevant regulations.

Management supports the newly developed standards

An accept able use policy

Device registration

Device baseline configurations

An awareness program

Concurrent access controls

Incremental data backups

Performance monitoring tools

Periodic table link checks

Approval of data changes

User access provisioning

Segregation of duties controls

Audit logging of administrative user activity

documentation controls.

change management controls.

access management controls

reconciliation controls

review the compatibility of the new system with existing network controls

consider the follow-up audit unnecessary since the firewall is no longer being used

assess whether the integrated system addresses the identified risk

evaluate whether current staff is able to support the new system

Review the data leakage clause in the SLA.

verify the ISP has staff to deal with data leakage.

Simulate a data leakage incident.

Review the ISP's external audit report

a capability model.

industry benchmarks

key performance indicators (KPls).

organizational goals.

Audit logging is not available

Secure authorization is not available

System data is not protected.

The system is not included in inventory.

it represents a single point of failure

segregation of duties is not observed.

it is not feasible to implement

access logs may not be maintained

Copies of the DRP are not kept in a secure offsite location.

The CIO has not signed off on the DRP

The disaster recovery steps are not detailed.

The responsibility for declaring a disaster is not identified

a three-tier web architecture.

Secure coding practices

application firewall policy settings

use of common industry frameworks.

Desktop passwords do not require special characters

Employees are not required to sign a non-compete agreement.

Users lack technical knowledge related to security and data protection

Security education and awareness workshops have not been completed

has adequate security.

is accessible online.

does not impact operational efficiency

logs all database records.

IT project management

Configuration management

Application portfolio management

Release management

Amount of disbursements

Volume of transactions

Changes to the vendor master file

Frequency of transactions

The organization does not require approval for social media posts.

Not all employees using social media have attended the security awareness program.

The organization does not have a documented social media policy.

More than one employee is authorized to publish on social media on behalf of the organization

perform testing in a stable environment

obtain segregation of duties between IS staff and end users.

limit the users access rights to the test environment

protect the programs under development from unauthorized testing

Users may not wish for production data to be made available for testing.

All functionality of the new process may not be tested.

Sensitive production data may be read by unauthorized persons.

The error-handling and credibility checks may not be fully proven

Authentication

Nonrepudiation

Data integrity

Replay protection

Standardized controls and economies of scale

Greater consistency among business units

Greater responsiveness to business needs

IT synergy among business units

Verify access control lists to the database where collected data is stored.

Determine how devices are connected to the local network.

Confirm that acceptable limits of data bandwidth are defined for each device.

Ensure that message queue telemetry transport (MQTT) is used.

Cost benefit analysis of running the current business

Projected impact of current business on future business

Expected costs for recovering the business

Cost of regulatory compliance

Dictionary

Denial of service

Social engineering

Programmed

Identify proper resources for audit activities.

Gain an understanding of the area to be audited.

Create a list of key controls to be reviewed.

Document specific questions in the audit program

postpone follow-up activities and escalate the alternative controls to senior audit management

schedule another audit due to the implementation of alternative controls.

reject the alternative controls and re-prioritize the original issue as high risk.

determine whether the alternative controls sufficiently mitigate the risk and record the results

Post-implementation review objectives

Test cases

Rollback strategy

Business case

service catalog is documented.

An account transition manager has been identified.

Expected service levels are defined

The vendor's subcontractors have been identified

Log files w concurrently updated

Log files are encrypted and digitally signed.

Log files are reviewed in multiple locations.

Log files of the servers are synchronized.

logical relationship check

key verification.

completeness check.

reasonableness check

Provide management with a remediation timeline and verity adherence

Schedule a review of the controls after the projected remediation date

Review the progress of remediation on a regular basis

Continue to audit the failed controls according to the audit schedule

Release documentation is not updated to reflect successful deployment

Testing documentation is not attached to production releases.

Developers are able to approve their own releases

Test libraries have not been reviewed in over six months

defines the level of control required to meet business needs

provides a benchmark for process improvement

specifies the mechanism needed to achieve defined service levels

indicates the service levels requited for the business area.

permit the auditor to quantify and fix the level of risk

permit the auditor to quantity the probability of error,

provide each item an equal opportunity of being selected,

require judgment when defining population characteristics

Review and reapprove the business case

Review business goals and objectives

Conduct a new feasibility study

Review and update the business impact analysis (BIA)

First use a symmetric algorithm for the authentication sequence.

encrypt the authentication sequence using a public key.

transmit the actual digital signature in unencrypted clear text.

encrypt the authentication sequence using a private key.

The lack of hardware components availability

The lack of electrical power connections

The lack of appropriate environmental controls

The lack of networking infrastructure

The system makes use of state-of-the-art technology

The organization has staff familiar with the technology

The system has a reduced cost of ownership

The business benefits are achieved even with extra costs

Substantive testing of payroll files

Data analytics on payroll data

Observation of payment processing

Sample-based review of pay stubs

benefits realization has been evidenced

there are unresolved high-risk items

the project adhered to the budget and target date.

users were involved in the quality assurance (QA) testing.

Installing security software on the devices

Restricting the use of devices for personal purposes during working hours

Partitioning the work environment from personal space on devices

Preventing users from adding applications

Developing a DLP policy and requiring signed acknowledgement by users.

Requiring users to save files in secured folders instead of company-wide shared drive

Identifying where existing data resides and establishing a data classification matrix.

Reviewing data transfer logs to determine historical patterns of data flow

Conducting a root cause analysis

Re-evaluating organizational goals

Re-evaluating key performance indicators (KPls)

Conducting a business impact analysis (BIA)

Attend project progress meetings to monitor timely implementation of the application.

Assist users in the design of proper acceptance-testing procedures.

Follow up with project sponsor for project's budgets and actual costs.

Review functional design to determine that appropriate controls are planned.

the server's software is the prime target and is the first to be infected

the server's operating system exchanges data with each station starting at every log-on.

the server's file sharing function facilitates the distribution of files and applications.

users of a given server have similar usage of applications and files.

Running-mission critical, non-web application

Interacting with the public internet

Running internal department applications

External to the organization

Training quizzes are designed and run by a third party company under a contract with the organization

The number of security incidents logged by employees to the help desk has increased in the past year

Security awareness training is run via the organization’s enterprise wide e-learning portal

Security awareness training is not included as part of the on boarding process for new hires

Further review closed unactioned alerts to identify mishandling of threats

Omit the finding from the report as this practice is in compliance with the current policy

Recommend that management enhance the policy and improve threat awareness training

Reopen unactioned alerts and report to the audit committee

Restricting read/write access to production code to computer programmers only

Assigning programming managers to transfer tested programs to production

A librarian compiling source code into production after independent testing

Requiring programming staff to move tested code into production

To efficiently test an entire population

To perform direct testing of production data

To conduct automated sampling for testing

To enable quicker access to information

Registration time

Throughput rate

Accuracy

Ease of use

Senior management commitment

Identification and risk assessment of sensitive resources

Security awareness training

Security policy framework

Monitoring the performance of virtual machines

Cloning virtual machines

Deploying settings to multiple machines simultaneously

Running the virtual machine environment

Degauss the media.

Destroy the media.

Remove the references to data from the access index.

Write over the data with null values.

Confidentiality

Data backup

Redundancy

Completeness

A randomly generated pin communicated by banking personnel

Banking personnel assign the user a new PIN via email

The user enter a new PIN twice

Banking personnel verbally assign a new PIN

Implement a process to test and apply appropriate patches

Apply available patches and continue periodic monitoring

Configure servers to automatically apply available patches

Remove unpatched devices from the network

Number of false negatives

Legitimate traffic blocked by the system

Number of false positives

Reliability of IDS logs

Router configuration

Password policy

Security logs

Services/daemons configuration

The testing could create application availability issues.

The testing may identify only known operating system vulnerabilities.

The issues identified during the testing may require significant remediation efforts.

Internal security staff may not be qualified to conduct application penetration testing.